On Wed, 19 Dec 2007 14:55:51 -0500, Tom "spot" Callaway wrote: > > On Wed, 2007-12-19 at 11:52 -0800, Bryan O'Sullivan wrote: > > > Is the package signing step done by hand? That's been my understanding, > > but maybe I'm missing something. It reminds me of Sigourney Weaver's > > role in "Galaxy Quest": a seemingly needless insertion of people into > > the process. > > > > If so, why? Can we switch to an automated process? > > It is currently a manual process, and Jesse Keating has been working for > some time to make an open source signing server that will work for > Fedora's infrastructure needs but also be useful for anyone. A signing-server doesn't fix everything. It may help with the security implications of giving away the key password as was done for Extras. But hoping for much more frequent or automated pushes of non-critical updates would be insane. Releasing new repodata and new packages too often would make the repositories a moving target for all mirrors. The updates repository is continuously flooded with version upgrades, which move farther away from the tested gold release of the distribution only to break due to new bugs, which then require further updates. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
